Caio Bonadies

Cyberattack on Grupo Fleury Real Lessons in Resilience and Recovery in Critical Healthcare Infrastructure The Incident: June 22, 2021 Attacker Group Scale of Attack Demand REvil (Sodinokibi) 200+ units paralyzed US$ 5 million Ransomware-as-a-Service 29 hospitals impacted Ransom unpaid 2000+ Infected Devices Recovery Via intact backups Coordinated response Double extortion: data encryption and public leak threat The attack resulted in a direct loss of R$ 29.4 million -8.5% -19% in Net Profit in EBITDA Additional Consequences Estimated losses of j3% of quarterly revenue Emergency manual operations Increase in operational costs Reputational impact and drop in FLRY3 shares "Even with a quick recovery, the financial and operational impact was significant." Timeline: 8 Days of Recovery June 22 Attack initiated Systems isolated and contingency plan activated June 25 Partial restoration June 28 Critical hospitals resume operations Recovery expansion 14 out of 29 hospitals operational June 30 Full normalization Services and mobile app reestablished Operational Recovery Strategy Prioritization by Criticality Critical hospitals and services were restored first. Security Validation Each system was extensively tested before reactivation. Phased Approach Gradual recovery to avoid new compromises. Contingency Maintained Manual operations continued until full stability was confirmed. Technical Partnerships: PwC, Accenture, IBM, and Microsoft Technical Recovery Strategy Isolation Immediate containment of compromised systems Backups Validation of integral copies for recovery flow Sanitization Forensic analysis and complete sanitization Restoration Prioritization of critical systems Monitoring Vigilance and post-recovery monitoring Technical Partnerships: PwC, Accenture, IBM, and Microsoft Attack Vectors and Vulnerabilities Phishing and Credentials Reused passwords, Lack of Multi-Factor Authentication (MFA), Excessive permissions. 4 initial point of intrusion Technical Vulnerabilities The REvil group is known for exploiting specific vulnerabilities: Vulnerabilities in VPN, RDP, and CVE- Insufficient Segmentation Facilitated lateral movement within the network Ineffective Monitoring Compromised anomaly detection Tools used: Cobalt Strike, PsExec, and Mimikatz Crisis Management and Communication Controlled Transparency Regular and objective communications for stakeholders Alternative Channels Instagram, phone, and corporate WhatsApp activated Direct Communication Hospitals and patients prioritized in contacts Necessary Alignment Integration between technical team and public relations Lessons Learned and Best Practices 3-2-1 Backups Continuous Training Multiple copies, periodic validation, and offline storage Phishing simulations and incident response Security Culture Zero Trust Architecture Strategic integration between IT and business Segmentation, monitoring, and active UEBA "Cybersecurity is not an expense 4 it's an investment in business continuity." Strategic Opportunities for the Future Governance LGPD compliance and regulatory Response 24/7 SOC and specialized managed requirements services Resilience Compliance Personalized preventive diagnosis Security audits and certifications No organization is immune But all can be prepared 70% Damage Reduction With fast and structured recovery Recommended Next Steps 01 Technical Diagnosis Security maturity assessment 10x Cost-Benefit Prevention vs. emergency response The Fleury case proves that cyber resilience saves businesses 02 Executive Workshop Tailored digital resilience 03 Action Plan Customized protection strategy